1. Field of the Invention
The present invention relates to a system for decrypting an encrypted content.
2. Description of the Related Art
Conventionally, in broadcast-type content distribution business, broadcast program content is encrypted, and the encrypted content is distributed to users. For example, a user decrypts encrypted content by using an authorized decryption unit leased by a distributor, and views/listens to the broadcast program through the obtained content. In broadcast-type content distribution business, however, there are unauthorized users who produce pirate decryption units (unauthorized decryption units) by copying internal information (decryption key or the like) of an authorized decryption unit, and can illegally decrypt encrypted content.
Various types of unauthorized user specifying methods are known, which can specify such an unauthorized user. Such unauthorized user specifying methods are classified into three types according to decryption key generation methods for users. The first type is a method based on a combinatric arrangement. The second type is a method based on a tree structure. The third type is a method based on an algebraic arrangement.
The first unauthorized user specifying method has a problem that a very large transmission overhead is required to sufficiently decrease the probability at which an authorized user who is not concerned in the generation of an unauthorized decryption unit is erroneously detected as an unauthorized user.
The second and third unauthorized user specifying methods solve this problem and achieve efficient transmission overhead.
An unauthorized decryption unit may store a plurality of decryption keys or data having functions equivalent to decryption keys in a conspiracy involving a plurality of unauthorized users. Black box tracking is sometimes performed for this unauthorized decryption unit to specify an unauthorized user by observing only the input/output of the unit without breaking it open. More specifically, a tracker who performs black box tracking assumes a candidate for an unauthorized user (to be referred to as a suspect hereinafter) and checks whether the decryption key of the suspect is held by an unauthorized decryption unit, by only observing the input/output of the unauthorized decryption unit.
In the second and third unauthorized user specifying methods, one of the following two problems is left unsolved:
Problem 1: In black box tracking, the intention of each input (assumed suspect) is known by an unauthorized decryption unit. If a smart unauthorized decryption unit reads the intention of an input and prevents the unauthorized user from being specified, black box tracking fails. This failure leads to a problem that an unauthorized user cannot be specified, or an innocent user is falsely accused.
Problem 2: Although an unauthorized decryption unit cannot read the intention of an input, the probability of correctly specifying an unauthorized user trades off with a transmission overhead. If, therefore, the transmission overhead is made efficient, the probability of correctly specifying an unauthorized user greatly decreases. The number of processing steps required for black box tracking is exponential, and hence such black box tracking is impracticable because a set of nCk=n!/{k!(n−k)!} suspects must be checked, where n is the total number of users and k is the maximum number of conspirators.
As described above, the conventional unauthorized user specifying methods fail in black box tracking with respect to smart unauthorized decryption units. In consideration of this problem, JP-A 2005-236963 (KOKAI) discloses an unauthorized user specifying method which can reliably execute black box tracking even with respect to a smart unauthorized decryption unit without allowing it to know the intention of an input.
Of the unauthorized user specifying methods disclosed in JP-A 2005-236963 (KOKAI), a method which achieves more efficient transmission overhead is a method in which the amount of transmission data is reduced by assigning the leaves of a tree structure to users and making a key generation polynomial multilevel. In this case, since the memory size which a decryption unit can have is limited by the manufacturing cost and the like, there is a demand for reducing the size of decryption key data to be held by the decryption unit. It is therefore preferable to further reduce the size of decryption key data to be held by the decryption unit.
As described above, the conventional unauthorized user specifying methods cannot achieve the two challenges of reliably executing black box tracking even with respect to a smart unauthorized decryption unit without allowing it to know the intention of an input and reducing the size of decryption key data to be held by the decryption unit.